Geek Answers Handbook

How to get user password in clear text using PAM?

I am writing a PAM module that writes username / password to a file for further transaction by another application. I only saw the PAM_AUTHTOK element, but I'm not sure what type it is from. Does anyone know what or another way to get cleartext password?

+4
source share
3 answers

Have you read the Linux-PAM Application Development Guide? On a system like RHEL, it will be in /usr/share/doc/pam-devel-<version>/Linux-PAM_ADG.txt , or you can find it online on the Internet in different places .

Take a look at the Getting PAM Elements section, which documents the pam_get_item() function. You can request a password with the constant PAM_AUTH_TOK :

PAM_AUTHTOK

 The authentication token (often a password). This token should be ignored by all module functions besides pam_sm_authenticate(3) and pam_sm_chauthtok (3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token.
+3
source

This is a very old thread, but there is also pam_exec: https://linux.die.net/man/8/pam_exec

eg. Something like the following in a PAM configuration:

 auth sufficient pam_exec.so expose_authtok /usr/local/bin/myscript-example

Contents of a myscript example repeating all exits:

 #!/bin/sh read password echo "User: $PAM_USER" echo "Ruser: $PAM_RUSER" echo "Rhost: $PAM_RHOST" echo "Service: $PAM_SERVICE" echo "TTY: $PAM_TTY" echo "Password : $password" exit $?
+3
source

How to simply print the contents of PAM_AUTHTOK when debugging? To make sense of using it, you must have some kind of contract or agreement between the modules.

By the way, there is a difference between saving the password in the clear and erasing it from there as soon as possible (or better: blocking this region in RAM or with an encrypted swap) and writing this plaintext to disk, the latter is just not sure, do not do this.
0
source

More articles:


All Articles